More Precautions, Less CAPTCHA - Some CAPTCHA Alternatives - QuestionBin

More Precautions, Less CAPTCHA - Some CAPTCHA Alternatives

In Internet

More Precautions, Less CAPTCHA – Some CAPTCHA Alternatives

I am pretty sure that we are all bored with the freaking CAPTCHA. They are boring, and some of them still breakable by spam bots, and the ones that are not, are barely breakable by the human eye! So, if you have a website you might want to consider some alternatives that I am going to discuss below, instead of CAPTCHA. CAPTCHA might be the easier thing to do for you, but it is the most annoying thing for the user, and aside from that it’s still not 100% anti-spam. You don’t need to include all these alternatives on your website; a few of them (or even one) might be enough as an alternative to stop spam.

First you might want to check your content for links using regular expressions. If the regular expression returns true you can return an error that links are not required and not submit the form. You can check for spam like content, to do this you might want to consider something like Akismet.

If you have a form with 4 fields, that means that your script is going to need 4 POST or GET fields, so you might want to check that the form page only forwarded 4 POST or GET fields, if it receives less or more it should show an error and should not submit the form, because probably that is a bot trying to submit spam data.

You can also check for referrers. To do this just make sure that when the form is submitted, take the referrer from the headers, verify it with the page that the form is on (for example www.mysite.com/form.php) and if the referrer does not match the URL of the form, then it’s probably a bot. Using the headers you can also check for user agents, if the user agent is blank then it probably means it’s a bot (but most bots will fake this, so it’s not 100%)

You can ask the user a logical question (this might still be boring, but probably easier than some crazy CAPTCHA), ask something like ‘What is the name of this website?’ or ‘Copy and paste this text into the textbox below’ or ‘How much is 3 * 4?’ or ‘What is the capital city of Zimbabwe?’ (Well, probably you might want to ask an easier one), anyways, I think you get what I mean.. just make an array of these questions and your script should display a random one.

You might also want to use a fake field (textbox), make it hidden so the user will not be able to see it, but the bot will. So since the bot sees it, it will fill it up with some text, and the user will not. So, if the POST field of that textbox is empty it is probably a user, if not, it’s probably a bot.

You can also check if JavaScript can be run on the page, for example make a function that adds some numbers and fill in a fake hidden field (just like the previous method) but instead, this will work the other way, if the JavaScript function is supposed to make a sum with the answer of 5 and fill in the value of the textbox with the answer (in this case it’s 5), then verify that the POST field of that textbox is 5 or if the answer is anything else it is probably a bot. But this does not always work, because some user might actually disable JavaScript in their browsers.

Another simple trick is to pass the data on another page that will display the information that the user inputted and then the user has to press a submit button for the form to be submitted properly, most bots will not be able to know that.

Another rather complicated method is to create a session when the user accesses the page, save the time of the server in a session variable, calculate how much the user should take to fill in the form (for example 30 seconds), the bot will probably try and submit the data instantly as soon as the load pages, so that should stop them if the time in the session variable and the time the form was submitted are less than 30 seconds apart.

These are some automated alternatives to replace CAPTCHA, but of course, let’s not forget the manual way, you can always verify the data manually one by one, but of course this is not feasible for big websites, forums, etc...

Most of these in theory should work, but in practice some of them might even block the actual user (like the JavaScript one), so it’s up to you. Personally I never tried any of these alternatives (but I am going to), I was just making some research about this subject (because I am programming some script in PHP, and was trying to avoid using CAPTCHA) and as always I am sharing my knowledge.

Useful Links:

http://www.catswhocode.com/blog/top-10-ways-to-stop-spam-in-wordpress

http://technicallyeasy.net/2009/07/stop-spam-with-project-honey-pot/

http://www.wordpress-ecommerce.com/wordpress-spam-blocking-157